Key legal bases
Under the GDPR, there are a number of approved reasons (or "legal bases") a company might legitimately process a person's data. Below, we've outlined the most relevant legal bases under the GDPR.
| Reason | Requirements |
| Contractual necessity | Data processed must be necessary for the Service and defined in the contract with the individual |
| Content | • Requires a freely given, specific, informed and unambiguous consent by clear affirmative action • People have a right to withdraw consent, which must be brought to their attention • Must be from a person over the age of consent specified in that Member State, otherwise given by or authorised by a parent/guardian • Explicit consent is required for some processing (e.g. special categories of personal data) |
| Legitimate interests | • If a business or a third party has legitimate interests that are not overridden by individuals' rights or interests. • Processing must be paused if an individual objects to it |
